Professional Documents
Culture Documents
CMMI Guidelines
Procedures and methods, defining the relationship of tasks
PROCESS
People with skills, training and motivation Tools and equipment
IMA - INTRODUCTION
IMA - INTRODUCTION
1.1
Purpose
1.3
Background
IMA system concepts are presented, including the platform and modules, and their relationships to the hosted applications and avionics functions used in an aircraft installation.
The evolution of software and microelectronics technology enables the introduction of new aircraft functions, new capabilities and increased levels of complexity. The need to perform these complex functions necessitates the use of high-performance computing platforms that can host multiple applications on a single processor or a distributed network of processors. IMA is a shared set of flexible, reusable, and interoperable hardware and software resources that, when integrated, form a platform that provides services, designed and verified to a defined set of safety and performance requirements, to host applications performing aircraft functions.
1.2
Scope
All parties involved in the development, integration, V&V of IMA systems is focused on IMAspecific aspects of design assurance (and may use incremental acceptance). The primary industry-accepted guidance for satisfying airworthiness requirements for IMA components: the ability to obtain incremental acceptance of individual items of the IMA platform (including the core software) and hosted applications enables the reduction of follow-on certification efforts without compromising system safety.
IMA - INTRODUCTION
IMA - INTRODUCTION
1.4
1.5
References
In addition to the airworthiness regulations and requirements, various national and international standards for software, avionics, complex electronics, and safety are available. In some communities, compliance with these standards may be required.
The latest versions of the following documents apply: [1] RTCA DO-160 / EUROCAE ED-14, Environmental Conditions and Test Procedures for Airborne Equipment [2] RTCA DO-178 / EUROCAE ED-12, Software Considerations in Airborne Systems and Equipment Certification [3] RTCA DO-200 / EUROCAE ED-76, Standards for Processing Aeronautical Data
[4] RTCA DO-201 / EUROCAE ED-77, Industry Requirements for Aeronautical Information [5] RTCA DO-248 / EUROCAE ED-94, Final Annual Report for Clarification of DO-178B Software Considerations in Airborne Systems and Equipment Certification [6] RTCA DO-254 / EUROCAE ED-80, Design Assurance Guidance for Airborne Electronic Hardware [7] RTCA DO-255 / EUROCAE ED-96, Requirements Specification for Avionics Computer Resource (ACR
IMA - INTRODUCTION
IMA - INTRODUCTION
[8] SAE ARP4754 / EUROCAE ED-79, Certification Considerations for Highly Integrated or Complex Aircraft Systems [9] SAE ARP4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment [10] [11] [12] [13] [14] [15] [16] FAA AC 20-148, Reusable Software Components FAA TSO-C153, Integrated Modular Avionics Hardware Elements FAA Order 8110.49, Software Approval Guidelines ARINC 615A, Software Data Loading ARINC 651, Design Guidance for Integrated Modular Avionics ARINC 653, Avionics Application Software Standard Interface ARINC 664, Aircraft Data Network
1.6
This presentation is intended to be used only internally. This presentation recognizes that the guidelines herein are not mandated by law, but represent a some basic ideas of the aviation community. This presentation is just a topics list introduction to the reader.
NOTE: When US Advisory Circulars are referenced, they are intended as material that may supply topics and areas for the applicant to consider. All requirements should be coordinated with the applicants local certification authority
IMA - OVERVIEW
IMA - OVERVIEW
2.1
2.1.1
2.1.2
Certification Terminology
Certification TSO Authorization Acceptance Approval Incremental acceptance
IMA - OVERVIEW
IMA - OVERVIEW
2.3 Key Characteristics
The key characteristics of IMA platforms and hosted applications influence the IMA system architecture, the detailed system design, and, ultimately, the IMA platform and system acceptance process.
Integrity considerations Design assurance IMA safety and protection features Fault detection and partitioning
c.
Key Application Characteristics An application may be designed independent of other applications and obtain incremental acceptance on the IMA platform independently of other applications Applications can be integrated onto a platform without unintended interactions with other hosted applications. Applications may be reusable Applications are independently modifiable.
III Semana de Engenharia Aeronutica EESC USP - 2006
d. e.
Health monitoring and fault management, fault reporting, and recovery actions Composability considerations New function will not invalidate a property once that property has been established System properties follow from subsystem properties
III Semana de Engenharia Aeronutica EESC USP - 2006
IMA - OVERVIEW
IMA - OVERVIEW
2.3.2
Shared Resources
2.3.3
Robust Partitioning
IMA systems may host several applications that share resources. Each shared resource has the potential to become a single point failure that can affect all applications using that resource. CPU(s) Memory Associated interfaces I/O devices Data buses Shared memory Electrical power Processor cycles Bandwidth. The IMA platform provides resource management capabilities for shared resources and health monitoring and fault management capabilities to support the protection of shared resources.
Robust partitioning is a means for assuring the intended isolation and independence in all circumstances (including hardware failures, hardware and software design errors, or anomalous behavior) of aircraft functions and hosted applications using shared resources.
2.3.4
An API defines the standard interfaces between the platform and the hosted applications and provides the means to communicate between applications and to use I/O capabilities (ARINCs)
2.3.5
Health monitoring and fault management (HM/FM) functions deserve special attention due to the integration of multiple applications and resource sharing. Unlike federated systems, IMA systems manage platform faults, hardware failures, partitioning violations, and errors and anomalous behavior of hosted applications, including common mode faults and cascading failures. The IMA platform provides health monitoring and fault management capabilities for the platform and hosted applications.
The IMA system may provide health monitoring and fault management capabilities to support availability and integrity requirements.
III Semana de Engenharia Aeronutica EESC USP - 2006 III Semana de Engenharia Aeronutica EESC USP - 2006
IMA - OVERVIEW
IMA - OVERVIEW
2.4
Stakeholders
2.4.4
The assignment of roles and responsibilities is necessary, and should address the entire IMA system life cycle from conceptual design to retirement.
The IMA platform and module suppliers provide the processing hardware and software resources, including the core software.
2.4.1
Certification Authority
2.4.5
Application Supplier
The certification authority is the organization(s) granting approval on behalf of the state(s) responsible for aircraft or engine certification.
2.4.2
Certification Applicant
The applicant is responsible for the demonstration of compliance to the applicable aviation regulations, and is seeking a Type Certificate (TC), Amended TC (ATC), Supplemental Type Certificate (STC) or Amended STC (ASTC).
The application supplier develops the hosted application and verifies it on the IMA platform. The application supplier should ensure that any hardware or software resources that are unique to the hosted application meet the integrity and availability requirements consistent with the assigned failure condition classification as determined by the aircraft system safety assessment.
2.4.6
Maintenance Organization
2.4.3
The maintenance organization follows the appropriate approved procedures received from the certification applicant to keep the IMA system and the aircraft in an airworthy condition.
The IMA system integrator performs the activities necessary to integrate the platform(s) and hosted applications to produce the IMA system.
The development of an IMA system is based on an IMA platform containing hardware and software that are common and can be shared by the hosted applications.
Typical Hardware Modules Typical Software Modules
Real Time Executive Built-in Test On-board Maintenance System Protocol I/O Processing
Common Software
c.
Data Bus
d. e.
I/O
Application
Example of a typical design highlighting potential shared resources III Semana de Engenharia Aeronutica EESC USP - 2006 III Semana de Engenharia Aeronutica EESC USP - 2006
a.
Resource management of shared resources are developed and verified, including addressing periodic and aperiodic modification intervals, to ensure that modifications do not aversely affect the behavior of aircraft functions using these resources. Dispatch requirements allocated to the IMA platform are implemented and verified. Human factors requirements pertaining to the IMA system are implemented and verified. An IMA System Certification Plan is developed that satisfies the objectives of this document and describes how this plan relates to other aircraft certification activities and plans.
b. c. d.
IMA - OVERVIEW
3.1.1 Reusable IMA Platform Development Process
The IMA platform should be defined and developed independently of the specific aircraft functions and the hosted applications a. Define the IMA platform concept The architecture definition An approach for integrating hosted applications, both hardware and software, onto the IMA platform. An IMA platform acceptance approach. An IMA system certification approach that includes support for hosted applications and stakeholder roles and responsibilities for developing compliance data. A list of platform services to be provided to the hosted applications. The intended level of aircraft functions availability and integrity needed, platform capabilities to support it and methods provided for supporting it. The health management and fault management approaches The platform and IMA system configuration management approaches. b. a.
IMA - OVERVIEW
Define the IMA platform requirements Safety capabilities Performance capabilities. Configuration management approach. Environmental conditions under which the platform modules are intended to operate. Fault management and reporting approach and requirements, including considerations for: fault tolerance, fault isolation to modules, detection and isolation of single failures. Detailed requirements for each aspect of the concept definition. IMA platform architecture which has been defined and evaluated to the required safety capabilities.
Develop and implement the IMA platform design. The software and hardware development processes should follow DO-178B and DO-254 at the appropriate level to meet the required safety requirements. Additionally, common cause analysis (CCA) should be performed and qualitative failure analysis for the various top level events defined for the platform should be developed.
IMA - OVERVIEW
a.
Verify and validate the IMA platform addressing the following activities Perform environmental qualification testing to the specified environmental conditions. Perform a partitioning analysis and verification testing; verify other protection capabilities and safety features. Complete the CCA. Complete the numerical analysis showing that implementation meets the reliability requirements and capabilities. Address modules sharing an environment and resources together.
b.
Obtain IMA platform acceptance using the module acceptance approach All IMA platform requirements should be validated and verified. Traceability between the requirements, implementation, and verification activities should be developed and maintained.
f. g.
a.
Develop the IMA system architecture, addressing the following aspects: Develop IMA System Certification Plan based on aircraft requirements, hosted applications and the IMA system certification approach. Determine the quantity, quality and type of IMA platform modules and resources needed to provide the capability to meet all application requirements, including functional, performance, safety, availability, integrity, and redundancy requirements. Determine any aircraft function requirements driven by the capabilities of the IMA platform modules. Perform a Preliminary System Safety Assessment (PSSA) for each hosted application using the IMA platforms safety requirements. Evaluate the aircraft effects from the combination of platform, hosted applications and shared resource failures. Identify changes required to the allocation of IMA platform resources to correct any issues identified from the individual and combined PSSA activities.
b.
a.
Implementation of the IMA system, including the following activities: Develop the applications and perform partial verification. Integrate applications onto the platform, complete platform core software verification, complete applications verification, and perform IMA system V&V activities, including application/platform integration testing (software, integration testing, hardware/software integration testing). Develop initial IMA system failure analysis using IMA platform top level events as basic events for the hosted applications failure analyses. Evaluate the combination of IMA platform component failures affecting hosted applications which could lead to aircraft level effects, and adjust the allocation and/or applications implementation as necessary. (IMA platform component failures should have a unique top level event.) Perform aircraft ground and flight testing to validate assumptions in the SSA, requirements and environmental definitions.
a.
Integrate, validate, verify, and obtain acceptance of the IMA system (off aircraft). Specific configuration of applications in the IMA system should be shown to meet their requirements (including performance, redundancy management, and IMA platform interface requirements). Numerical analyses for each hosted application should be developed to show it complies with its FHA. Additionally, the hosted application numerical analyses should be combined into an IMA system hardware numerical analysis that shows that the combined events satisfy the aircraft level safety and reliability requirements
a.
Integrate, validate, verify, and obtain acceptance of the IMA system installed on the aircraft.
Health Monitoring and Fault Management Components and aspects to be monitored Health determination of each application Health determination of the IMA system as a whole Response to each type of failure Flight Crew Annunciation and Messaging Control of Maintenance Actions and Reporting Redundancy Management Single Event Upset (SEU) Faults
3.5.2Partitioning Analysis
A partitioning analysis to demonstrate that no application or sub-function in a partition could affect the behavior of a sub-function or application in any other partition in an adverse manner. All propagation paths between partitions should be identified.
IMA System Configuration Management Configuration Data Guidance on Use of Shared Databases Master Minimum Equipment List (MMEL) Design Considerations for MMEL Approval Considerations for an MMEL Human Factors Considerations
Overview of the Certification Process Task 1 Module Acceptance Module Acceptance Objectives Module Acceptance Data Module Acceptance Plan (MAP) Module Requirements Specification (MRS) Module Validation and Verification (V&V) Data
Module Quality Assurance (QA) Records Module Configuration Index (MCI) Module Acceptance Configuration Management (CM) Records Module Acceptance Accomplishment Summary (MAAS) Module Acceptance Data Sheet (MADS) Module Problem Reports Additional Module Acceptance Life Cycle Data
4.3 4.3.1 4.3.2 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 4.4.7
Task 2 Application Acceptance Application Acceptance Objectives Application Acceptance Data Task 3 IMA System Acceptance IMA System Acceptance Objectives IMA System Acceptance Data IMA System Certification Plan (IMASCP) IMA System Validation and Verification Plan (IMASVVP) IMA System Configuration Index (IMASCI) System-level IMA Accomplishment Summary (IMAAS) Other IMA System Life Cycle Data
Task 4 Aircraft Integration of IMA System (Including V&V) Aircraft Integration Objectives Aircraft-level IMA System Compliance Data Aircraft-level IMA System Certification Plan (IMASCP) Aircraft-level Validation & Verification Plan Aircraft-level IMA System Configuration Index (IMASCI) Aircraft-level IMA Accomplishment Summary (IMAAS) Other Aircraft-level Data
Task 5 Change of Modules or Applications Changes to IMA System Modules, Resources and Applications Change Objectives Change Management Process Change Impact Analysis (CIA) Change Data
Task 6 Reuse of Modules or Applications Objectives of the Reuse Process Reuse of a Software Module or Application Reuse of a Complex Electronic Hardware Module or Application Reuse of Environmental Qualification Test Data Reuse of a Module that Contains Software and Hardware Reuse Compliance Data
5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.3 5.4
Safety Assessment Responsibilities of the Certification Applicant Responsibilities of the IMA System Integrator Responsibilities of the IMA Platform Developer Responsibilities of the Application Developer Safety Assessment Activities System Development Assurance Software Guidance Electronic Hardware Guidance Integration Tool Qualification Shared Design Assurance IMA System Configuration Management Environmental Qualification Testing Validation Verification
5.5 5.5.1 5.5.2 5.6 5.7 5.7.1 5.7.2 5.7.3 5.7.4 5.7.5 5.7.6 5.7.7
Configuration Management (CM) IMA System Configuration Management Plan Configuration Control QUALITY Assurance Certification Liaison Certification Liaison Process Means of Compliance and Planning Data Development Life Cycle Data Compliance Substantiation Life Cycle Data Submittals Certification Liaison Process When Changes Are Made Certification Liaison Process For Reuse of Modules
C O N F I G . T A B L E S
P A R T I T I O N
P A R T I T I O N
P A R T I T I O N API
...
P A R T I T I O N
a. b.
A stand-alone platform or as a module for use within a larger IMA system. The core software manages multiple software partitions, and provides robust partitioning between applications. Robust partitioning of the network interface The LRU is adapted to ensure the CPU time, memory and I/O requirements of each software application. Another key characteristic is a high level of internal fault/failure detection.
MEMORY
Specific HW
Power Supply
c. d.
N E T W O R K
e.
I/O I/O I/O I/O I/O I/O I/O
a.
the General Processing Module (GPM) the Power Supply Module (PSM) the I/O Module (IOM)
b. c.
The platform also uses core software components, which provide a uniform API to applications:
a. b. Distributed modular platform
III Semana de Engenharia Aeronutica EESC USP - 2006
c.
FEDERATED LRU
SENSOR EFFECTOR SWITCH SENSOR CPM RIU EFFECTOR RESOURCE CENTER RIU DISTRIBUTED MA SUBSYSTEM SWITCH SWITCH CPM SWITCH CPM IOM